TrojanSpy.Win64.KLOGEXE.THICOBD

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It gathers certain information on the affected computer. It logs a user's keystrokes to steal information.

It creates an event.

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Information Theft

This Trojan Spy gathers the following information on the affected computer:

• Username
• Clipboard Data
• Keystrokes
• Mouse Clicks

It logs a user's keystrokes to steal information.

Stolen Information

This Trojan Spy saves the stolen information in the following file:

• %AppData%\IconCache.db.bak

It sends the gathered information via HTTP POST to the following URL:

• {BLOCKED}.{BLOCKED}.{BLOCKED}.2 → legitimate APIPA IP Address

Other Details

This Trojan Spy does the following:

• It updates the dropped file containing stolen information every 1 minute or if a new gathered information is more than 3072 bytes.
• If the dropped file's size is more than 4096 bytes, it sends its contents to the URL via POST method.
• It checks if the following file exists which is used as a configuration for URL communication:
  • %Application Data%\Microsoft\Windows\Templates\KSettings.ini

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It creates the following event(s):

• Norton_BreakHelper613